Offering · Compliance
The EU Cyber Resilience Act applies to virtually every connected product on the EU market. The obligations are concrete, dated, and closer than most roadmaps assume. ROSA's answer: compliance evidence generated by the foundation, not assembled by hand before every audit.
The deadlines
11 September 2026
Actively exploited vulnerabilities and severe incidents must be reported, with a 24-hour early warning to ENISA and your CSIRT. That presupposes you know what's in your firmware and whether it's affected. Without a current SBOM and CVE watch, you can't even start the clock.
11 December 2027
Security by design, vulnerability handling processes, secure update capability, and technical documentation, for the product's whole support life. Products designed in 2026 will ship into this regime. The foundation you choose now decides how expensive this becomes.
Regulation (EU) 2024/2847, in force. Dates per the regulation's application schedule.
The approach
Every CRA requirement maps to something ROSA produces as a by-product of normal development, visible in Atelier, exportable per release.
Generated by the build pipeline for every release, never maintained by hand, so never stale.
Vulnerability records matched against your actual SBOM. Every finding carries a state, an owner, and a handling note, and that record is your CRA vulnerability-handling evidence.
Secure OTA with rollback is a ROSA Foundation capability, not a per-product project. "Can you patch the field?" has a standing answer.
Test results, SBOM snapshot, and findings status, exportable as one package when someone asks. And someone will ask.
The CRA track in ROSA Atelier: findings against the live SBOM, handling states with owners, evidence packs per release.
What we promise, precisely
4Rooks does not certify your product, and you should be suspicious of anyone who claims their platform makes you "CRA compliant" by installation. Compliance is a property of your product and your processes.
What a foundation can do is make the evidence exist, stay current, and cost nothing extra to produce, so that when obligations, auditors, or customers ask, the answer is an export, not a quarter of engineering time.
Start small: the CRA readiness check
Two days, fixed price, on your portfolio: where you stand against the dated obligations, which gaps matter, and a prioritized plan to close them, whether or not ROSA is part of the answer.
Book the readiness check →A 45-minute call tells you whether you have a CRA problem, and how big. Free, no sales deck.